SCHEDULE 2 - DATA PROTECTION
1. Definitions
1.1. In this Schedule:
1.1.1. the terms “personal data”, “controller”, “processor”, “data subject”, “personal data breach”, “processing” and “supervisory authority” (and related expressions) shall have the meanings given to them in the Data Protection Legislation;
1.1.2. “EU SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the EU GDPR as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, the relevant annexes of which are set out in this Schedule, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
1.1.3. “Personal Data” means personal data which is processed from time to time by the Parties in connection with the Agreement;
1.1.4. “Processor” means where Holibob processes Personal Data on behalf of the Partner as processor as set out in paragraph 2.1.2 and Appendix 1 (Processor Details).
1.1.5. “Restricted Transfer” means a transfer which is covered by Chapter V of the EU GDPR and/or UK GDPR (whichever is applicable)
1.1.6. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO under section 119A of the UK DPA which came into force on 21 March 2022.
1.1.7. Capitalised terms not defined in this Schedule have the meanings given to them in Schedule 1 of the Agreement.
2. Relationship
2.1. The Parties acknowledge and agree that:
2.1.1. save where Holibob acts as Processor, each Party will be a separate and independent controller of the Personal Data which it processes pursuant to the Agreement; and
2.1.2. Holibob may act as a processor on behalf of the Partner when processing Personal Data in the course of engaging in the activities in respect of the Services to the Partner as described in Appendix 1 (Processor Details) to this Schedule.
3. Mutual Obligations
3.1. The Parties shall at all times comply with the Data Protection Legislation when processing Personal Data.
3.2. Save where Holibob acts as a Processor, each of the Parties shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Data Protection Legislation.
3.3. When processing Personal Data in connection with the Agreement as a controller, each Party shall:
3.3.1. ensure that it has provided all necessary notices to, and obtained all necessary consents from, data subjects as required under Data Protection Legislation to lawfully share Personal Data with the other Party;
3.3.2. provide the other Party with such co-operation, assistance and information as the other Party may reasonably request to comply with their obligations under the Data Protection Legislation;
3.3.3. only process the Personal Data for the purposes as contemplated and permitted by the Agreement;
3.3.4. implement all appropriate technical and organisational measures to ensure a level of security for the Personal Data which is appropriate to the risks to individuals and to the Personal Data that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data;
3.3.5. in the event that it becomes aware of a personal data breach involving or affecting any Personal Data in its possession or control, it shall promptly inform the other Party giving full details of the same, and the Parties shall co-operate reasonably and in order to enable each Party to comply with their own requirements in relation to the personal data breach under Data Protection Legislation;
3.3.6. in the event that it receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence”) related to (a) the disclosure of the Personal Data by the other Party under the Agreement or (b) processing of Personal Data by the other Party, it shall, unless prohibited by law to do so, promptly inform that other Party giving full details of the same, and the Parties shall cooperate reasonably in order to respond to the Correspondence in accordance with any requirements under Data Protection Legislation; and
3.3.7. in the event that it receives a request from a data subject addressed to them and relating to the Personal Data, it shall respond to such request in accordance with the Data Protection Legislation. Each Party shall provide reasonable assistance to the other Party to the extent reasonably required for the other Party to respond to any requests made by data subjects that relate to the Personal Data in accordance with the Data Protection Legislation.
4. Processor Obligations
4.1. The provisions in this paragraph 4 only apply to the extent Holibob acts as Processor.
4.2. The scope, nature and purpose of processing by Holibob, the duration of the processing and the types of Personal Data and categories of data subject are set out in Appendix 1 (Processor Details) to this Schedule.
4.3. Holibob shall:
4.3.1. only process the Personal Data in accordance with the Partner's written instructions from time to time, unless otherwise required by law, in which case, Holibob shall inform the Partner of that legal requirement before carrying out the processing, unless that law prohibits such information on important grounds of public interest;
4.3.2. ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.3.3. take all appropriate technical and organisational measures (including such measures set out in Appendix 2 as applicable to the Service) to ensure a level of security for the Personal Data which is appropriate to the risks to individuals and to the Personal Data that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data;
4.3.4. enter into a written agreement with each sub-processor that imposes obligations on the sub-processor which are no less onerous than those imposed on Holibob as Processor. Holibob shall remain fully liable to the Partner for the acts and omissions of its sub-processors;
4.3.5. taking into account the nature of the processing, provide reasonable assistance, by appropriate technical and organisational measures, insofar as this is possible, to enable the Partner to fulfil their obligations to respond to any requests from data subjects in accordance with Data Protection Legislation;
4.3.6. provide reasonably required assistance to enable the Partner to comply with their obligations under Data Protection Legislation relating to personal data breach notifications, data protection impact assessments and prior consultations;
4.3.7. in the event that it becomes aware of a personal data breach involving or affecting any Personal Data, notify the Partner without undue delay giving full details of the same, and Holibob shall reasonably cooperate in order to enable the Partner to comply with their own requirements in relation to the personal data breach under Data Protection Legislation;
4.3.8. upon expiration or termination of the provision of the Services relating to the processing of the Personal Data, at the Partner's choice, return or erase all such Personal Data (including any copies of it) in its possession or control unless Holibob is required to retain or store Personal Data in order to comply with Applicable Laws;
4.3.9. make available to the Partner all information necessary to demonstrate that Holibob is in compliance with this paragraph 4; and
4.3.10. permit the Partner (either itself or through a professional and reputable third party auditor appointed by the Partner) to audit Holibob's compliance with this paragraph 4 on not more than one occasion in each calendar year and upon providing Holibob with a minimum of twenty (20) Business Days' notice. Holibob shall provide the Partner (and their third party auditor as the case may be) on reasonable request with such reasonable and supervised access to Holibob's documents, premises and systems solely as required for the purposes of compliance with this paragraph 4.3.10.
4.4. The Partner hereby provides its general authorisation to the appointment of sub-processors by Holibob, provided that the Partner shall be appropriately notified of any proposed addition to, or replacement of, any sub-processor and given a reasonable opportunity to object to any such change. The Partner must raise any reasonable objections in writing on legitimate grounds within 14 days after receiving notice of the change, otherwise the change will be deemed accepted. In the event of any objection reasonably raised in accordance with this paragraph, the Parties shall enter into good faith discussions to agree a workaround. However, if no such workaround is agreed in Holibob’s reasonable opinion, Holibob shall be entitled to terminate the Services relating to the change in sub-processor.
5. International Transfers
5.1. This paragraph 5 shall only apply to the extent Holibob makes a Restricted Transfer to the Partner.
5.2. In the event that Holibob is subject to the EU GDPR and transfers Personal Data to the Partner for processing outside the EEA, and the transfer is a Restricted Transfer and is not on the basis of an adequacy decision as described in Article 45 of the EU GDPR, then the parties will comply with the Module 1 or Module 4 version of the EU SCCs (whichever is applicable in accordance with this Schedule), which are deemed incorporated into and form part of the Agreement and completed as follows:
5.2.1. the optional redress language under Clause 11(a) of the EU SCCs will not apply;
5.2.2. Option 1 will apply in respect of Clause 17 of the EU SCCs and the governing law will be Ireland;
5.2.3. the choice of forum and jurisdiction under Clause 18(b) of the EEA SCCs will be the courts of Ireland;
5.2.4. Annexes I and II of the EU SCCs are deemed to be populated with the information set out in Appendix 3 (EU SCCs Details) below; and
5.2.5. Annex III of the EU SCCs will not apply.
5.3. In the event that Holibob is subject to the UK GDPR and transfers Personal Data to the Partner for Processing outside the UK, and the transfer is a Restricted Transfer and is not on the basis of an adequacy decision as described in Article 45 of the UK GDPR, then the EU SCCs shall apply in accordance with paragraph 5.2 and shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form a part of the Agreement. Where the UK Addendum applies in accordance with this paragraph:
5.3.1. (a) Tables 1 and 3 in Part 1 of the UK Addendum shall be deemed completed with the relevant information set out in the Appendix to the EU SCCs and (therefore) Appendix 3 below; (B) in Table 2 of Part 1, the “Addendum EU SCCs” are deemed to be the EU SCCs incorporated into the Agreement (in accordance with the aforementioned paragraph) including the Appendix Information (as defined in the UK Addendum); and (C) Table 4 in Part 1 is deemed completed by selecting “neither party”; and
5.3.2. any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Sections 9, 10 and 11 of the UK Addendum.
5.4. In the event of any conflict between the provisions of the EU SCCs (and UK Addendum where applicable) (together the “Restricted Transfer Clauses”) and the remaining terms of the Agreement (including this Schedule) then the Restricted Transfer Clauses shall take precedence. The terms of the Agreement, including this Schedule, shall not, and do not seek to, vary the Restricted Transfer Clauses in any way.
Appendix 1 - Processor Details
Subject matter of the processing of Personal Data
Holibob will process Personal Data in connection with the applicable Services to be provided under the Agreement.
Duration of the processing of Personal Data
Holibob will process the Personal Data for the duration of the Aagreement and, following expiry, in accordance with Data Protection Legislation and the terms of this Schedule and Agreement.
Nature and purpose of the processing of Personal Data
Holibob shall process Personal Data on behalf of the Partner as processor: (a) where both Parties agree in writing that Holibob is a processor; and (b) in the following circumstances and for the following purposes:
Services | Types of Personal Data | Categories of data subject | Processing Activities
|
Marketing Platform Services | The following data as provided by the Partner to Holibob: name, contact details (including email address and/or number), travel booking details, customer preferences (relating to tours and experiences) and unique ID code .
| Partner’s Customers | Requesting Customer feedback and preferences, processing Customer feedback and sending marketing communications to Customers based on their feedback. |
Switch Technology Services | Customer name, contact details (including email address and/or number) and travel booking details. Personal data contained within Partner Content (e.g. contact names and named individuals within a business (e.g. tour guides) running the tours and experiences))
| Customers and Partner Suppliers As above. | As described in the Switch Technology Annex |
Bookable Extranet Services | As described in the Bookable Extranet Annex | ||
Holibob API Services | As described in the Holibob API Annex |
The types of Personal Data to be processed and categories of data subject
As set out in the table above.
Appendix 2 – Technical and Organisational Measures
Security Measure | Practices |
|---|---|
Encryption | Where applicable to the service, industry-accepted encryption practices are used to protect data and communications; data is encrypted in transit and at-rest using AES-256 encryption via AWS’ managed encryption key process. |
Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Backed-up data is always available for a current restore in the event of corruption or accidental deletion. Appropriate security incident management policies and procedures are in place in the event of an incident. Where applicable to the service, Holibob has in place service level commitments relating to availability, support response times and recovery times. Holibob’s partner support can be contacted by logging an issue in the support portal. The Holibob extranet and support portal tool is accessible 24 hours a day, 7 days a week, for 365 days a year. For the highest severity incidents, all appropriate Holibob technical resources are involved 24/7 until the problem is resolved. Holibob has put in place, and maintains, a written business continuity and disaster recovery plan. |
Ongoing Confidentiality, Integrity, Availability and Resilience | All Holibob systems are hosted on Amazon Web Services (AWS) with primary systems located in the Republic of Ireland (EU) and backup systems in the UK. Commercially reasonable and appropriate methods and safeguards are utilised to protect the confidentiality, availability, and integrity of partner data (including personal data). Holibob ensures that personnel authorised to access partner data (including personal data) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Holibob staff are duly trained on data security and must comply with relevant security practices and policies. System administrators, developers and other users with privileged access receive special and on-going training. Anti-malware controls are maintained to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to partner data (including personal data). Physical access to our offices is controlled by [no physical office] Our technology is set up, and catered, to comply with any data rights requests made by individuals so as to make it simpler to meet our partners’ and our respective obligations under applicable data privacy laws. Where we act as processor, we can easily retrieve and delete an individual’s personal data upon request from our partner. |
Regularly Testing, Assessing and Evaluating the Effectiveness of the Measures | Penetration and vulnerability testing is conducted annually. Holibob’s HR onboarding and off-boarding processes handle provisioning and de-provisioning of accounts and access. When selecting any potential provider involved in the processing of personal data, we undertake appropriate due diligence on those providers to ensure that personal data, if any, that is processed by these third parties is carried out in accordance with applicable data protection laws. We keep and maintain appropriate IT, security and data protection policies internally that address the roles and responsibilities of personnel, including both technical and non-technical personnel, who have access to partner data (including personal data) in connection with providing our services. Where it is necessary to transfer personal data to a provider based outside the UK and/or EEA, and within a country with no EU or UK adequacy decision, we would carry out the necessary risk assessments and put in place the appropriate safeguards, such as standard and contractual clauses in our contract with that data recipient, to ensure protection of that personal data and adherence with data privacy laws. In addition, we have robust processes in place that review staff access to systems and respond promptly to security threats. Holibob maintains commercially reasonable controls for information governance and data management in connection with the Services. Holibob shall make reasonable efforts to use the minimum necessary personal data to provide its services. Holibob defines accountability in this section as holding individuals accountable for their internal control responsibilities. In particular: · a member of personnel may be terminated for non-compliance with a policy and/or procedure; and · a performance review of staff is conducted on an annual basis to evaluate the performance of staff against expected levels of performance and conduct and hold them accountable for their internal control responsibilities. |
Appendix 3 - (EU SCCs Details)
ANNEX I
A.
Data exporter: Holibob as set out in the Agreement Details
Data importer: the Partner as described in the Agreement Details
B.
Categories of data subjects whose personal data is transferred: Customers and (to the extent there is Personal Data) Third Party Suppliers
Categories of personal data transferred:
In respect of Customers: name, email address and/or number, travel booking details, customer preferences
In respect of Third Party Suppliers: name and contact details (email address or phone number)
Sensitive data transferred: none
Frequency of the transfer: on a continuous basis for the duration of the Agreement
Nature and purposes of the transfer: as described in the Agreement and the respective Annexes
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: for the duration of the Agreement and, following expiry or termination, in accordance with the terms of the Agreement
C.
The competent supervisory authority is the Irish Data Protection Commission.
ANNEX II
Where Holibob is acting as processor, Appendix 2 shall apply. In any case, the parties shall:
have authorised persons with appropriate training and permission to have access to personal data;
ensure data is securely stored in secure cloud servers;
ensure there are secure and established controls to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
have an established and organised incident response process that ensures timely notification and response to information security and/or personal data incidents.